-
Notifications
You must be signed in to change notification settings - Fork 5
/
nginx.conf
43 lines (32 loc) · 1.32 KB
/
nginx.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
server {
listen 80;
server_name <host>;
return 301 https://$host$request_uri;
}
server {
listen 443 ssl;
server_name <host>;
ssl_certificate /etc/letsencrypt/live/*.<extensive host>/fullchain.cer;
ssl_certificate_key /etc/letsencrypt/live/*.<extensive host>/*.<extensive host>.key;
# disable SSLv2
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
# ciphers' order matters
ssl_ciphers "ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA384:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!aNULL";
# the Elliptic curve key used for the ECDHE cipher.
ssl_ecdh_curve secp384r1;
# let the server choose the cipher
ssl_prefer_server_ciphers on;
# turn on the OCSP Stapling and verify
ssl_stapling on;
ssl_stapling_verify on;
ssl_trusted_certificate /etc/letsencrypt/live/*.<extensive host>/fullchain.cer;
# http compression method is not secure in https
# opens you up to vulnerabilities like BREACH, CRIME
gzip off;
location ^~ /api/v1 {
proxy_set_header Host $host;
proxy_pass http://127.0.0.1:6562;
}
error_log /mnt/log/nginx/<host>/error.log;
access_log /mnt/log/nginx/<host>/access.log;
}